07-21-2010 07:11 AM - edited 03-10-2019 05:04 AM
Hi,
I have taken over managing a 6500 IDSM-2 implementation, as far as I can see it has been configured in
Promiscuous Mode with a single virtual sensor assigned to both data ports 0/7 & 0/8.
The switch has been configured with the following commands:
intrusion-detection module 8 management-port access-vlan 507
intrusion-detection module 8 data-port 1 access-vlan 507
monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor session 66 destination intrusion-detection-module 8 data-port 2
can anyone tell me why the second command utilsed data port 1 and the bottom command utilises data port 2, is this valid and recommended?
Thanks
D
Solved! Go to Solution.
07-21-2010 09:14 AM
So a little bit about IDSM architecture.
IDSM has one management or command and control port (gig0/2) and 2 data ports (gig0/7 & gig0/8)
These ports on IDSM connect to the 6500 over the backplane.
IDSM Gig0/7 connects to Data-port 1 on 6500.
IDSM Gig0/8 connects to Data-port 2 on 6500.
The configuration involves two things:
1. Configuring IDSM (Date, Time, Assigning virtual sensors to interfaces, signature tuning etc...)
2. Configuring 6500 to send traffic to IDSM.
Are you planning to put the IDSM in promiscuous or inline mode ?
The configuration on the 6500 is different for both the modes.
Configuration:
intrusion-detection module 8 management-port access-vlan 507
This puts the management port in vlan 507
intrusion-detection module 8 data-port 1 access-vlan 507
Puts data-port 1 in vlan 507. This is typically done in inline mode.
monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor session 66 destination intrusion-detection-module 8 data-port 2
This is a span configuration which is sending a copy of the data from the vlans to data-port 2.
This is done when IDSM operates in promiscuous mode.
So in your case, the correct configuration on 6500 to send traffic to IDSM depends which mode you want the IDSM to run in.
Please check the link below which will explain how to configure 6500 for promiscuous or inline mode IDSM configuration.
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html
Let me know if you have any questions.
- Sid
07-21-2010 09:14 AM
So a little bit about IDSM architecture.
IDSM has one management or command and control port (gig0/2) and 2 data ports (gig0/7 & gig0/8)
These ports on IDSM connect to the 6500 over the backplane.
IDSM Gig0/7 connects to Data-port 1 on 6500.
IDSM Gig0/8 connects to Data-port 2 on 6500.
The configuration involves two things:
1. Configuring IDSM (Date, Time, Assigning virtual sensors to interfaces, signature tuning etc...)
2. Configuring 6500 to send traffic to IDSM.
Are you planning to put the IDSM in promiscuous or inline mode ?
The configuration on the 6500 is different for both the modes.
Configuration:
intrusion-detection module 8 management-port access-vlan 507
This puts the management port in vlan 507
intrusion-detection module 8 data-port 1 access-vlan 507
Puts data-port 1 in vlan 507. This is typically done in inline mode.
monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor session 66 destination intrusion-detection-module 8 data-port 2
This is a span configuration which is sending a copy of the data from the vlans to data-port 2.
This is done when IDSM operates in promiscuous mode.
So in your case, the correct configuration on 6500 to send traffic to IDSM depends which mode you want the IDSM to run in.
Please check the link below which will explain how to configure 6500 for promiscuous or inline mode IDSM configuration.
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html
Let me know if you have any questions.
- Sid
07-22-2010 12:59 AM
Thanks for the quick response Sid.
Okay that make sense, I looks like the IDS has been deployed as promiscuou, so I can removed the data port 1.
Thanks for you help.
D
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: